STIX 2.1 Known issues#

No support for object versioning#

STIX 2.1 object versioning is not supported.

This means that when a STIX 2.1 object is ingested as an entity in EclecticIQ Intelligence Center, and that entity is modified, when that entity is exported or packed in an outgoing feed, a new STIX 2.1 object is generated instead of a “modified” version, regardless of the change.

This means that on changing the entity in EclecticIQ Intelligence Center:

  • Any STIX 2.1 information retained in its original_stix21_objects field is discarded.

  • When the entity is exported or packed in an outgoing feed, a new STIX ID is generated for the resulting SDO. This means that the resulting object is distinct from the “originating” STIX 2.1 object.

EclecticIQ Intelligence Center maintains a separate and internal versioning system for entities.

Invalid STIX 2.1 objects are not ingested#

Invalid STIX 2.1 objects are ignored by this feed.

For example, if a STIX 2.1 Indicator SDO object is missing the pattern field, that SDO is not ingested because pattern is a required field according to the STIX 2.1 specifications.

Outgoing feeds#

TLP overrides and TLP filtering#

When you apply TLP overrides or TLP filters to an outgoing feed that uses the STIX 2.1 content type, you may encounter the following issues:

  • TLP overrides result in new IDs being generated for each resulting STIX 2.1 object. In effect, this creates

    • new “versions” of these EclecticIQ Intelligence Center entities, and

    • new “derived-from” relationships between the new and original “versions” of these entities.

    when these EclecticIQ Intelligence Center entities are transformed into STIX 2.1 objects.

    In particular, multiple “versions” of Identity SDOs and statement marking objects may appear where you would expect only a single instance of these STIX 2.1 objects.

  • When TLP overrides are applied to an outgoing feed, ingesting data packaged by that feed in another EclecticIQ Intelligence Center instance produces disjointed relations.

    In order to override or filter TLPs applied to the packed objects, EclecticIQ Intelligence Center generates new versions of these objects. This consequently breaks the references that entity relations rely on. You will have to reconcile these relations manually after ingestion.

Indicators are only packed with specific configuration#

Most EclecticIQ indicators can be packed as STIX 2.1 Indicator SDOs without further configuration. However, there are certain cases where EclecticIQ indicator entities may be dropped by an outgoing feed.

Currently, EclecticIQ indicator entities must have at least one of the following in order for them to be packed as STIX 2.1 Indicator SDOs by outgoing feeds:

  • A test mechanism, with one of the following types:

    • Generic

    • SNORT

    • YARA

  • A related observable with one of the supported SCO types.

    Caution

    If your EclecticIQ indicator entity only has related observables and no test mechanism, you must include the related observable types in your outgoing feed configuration’s Observable and Enrichment Observable types > Observable types field.

Tip

For more information about the STIX 2.1 Indicator SDO and how EclecticIQ indicator entities are mapped to and from it, see the STIX 2.1 documentation.